Merge pull request #5562 from percona-ysorokin/dev/PS-9024-8.0-audit_log_filter_host_wildcards

percona-ysorokin · web-flow · commit ed94038dc1f6 · 2025-02-27T23:40:08.000+01:00
PS-9033 and PS-9024 fixes: audit_log_filter_set_user does not allow wildcards in hostname (8.0)
diff --git a/plugin/audit_log_filter/audit_log_filter.cc b/plugin/audit_log_filter/audit_log_filter.cc
@@ -605,24 +605,28 @@ bool AuditLogFilter::get_connection_user(Security_context_handle &ctx,
   MYSQL_LEX_CSTRING user{"", 0};
   MYSQL_LEX_CSTRING host{"", 0};
 
-  if (m_security_context_opts_srv->get(ctx, "user", &user)) {
+  if (m_security_context_opts_srv->get(ctx, "priv_user", &user)) {
     LogPluginErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG,
                  "Can not get user name from security context");
     return false;
   }
 
-  if (m_security_context_opts_srv->get(ctx, "host", &host)) {
+  if (m_security_context_opts_srv->get(ctx, "priv_host", &host)) {
     LogPluginErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG,
                  "Can not get user host from security context");
     return false;
   }
 
-  if (user.length == 0 || host.length == 0) {
-    return false;
+  if (user.length == 0) {
+    user_name.clear();
+  } else {
+    user_name.assign(user.str, user.length);
+  }
+  if (host.length == 0) {
+    user_host.clear();
+  } else {
+    user_host.assign(host.str, host.length);
   }
-
-  user_name = user.str;
-  user_host = host.str;
 
   return true;
 }
diff --git a/plugin/audit_log_filter/audit_udf.cc b/plugin/audit_log_filter/audit_udf.cc
@@ -73,7 +73,8 @@ std::unique_ptr<UserNameInfo> check_parse_user_name_host(
 
   const std::regex user_name_all_regex("^%$");
   const std::regex user_name_regex("(.*)@(.*)");
-  const std::regex deprecated_symbols_regex("[\\*|\\%]");
+  const std::regex deprecated_account_name_characters_regex("[*|%]");
+  const std::regex deprecated_host_name_characters_regex("[*|]");
 
   auto user_info_data = std::make_unique<UserNameInfo>();
 
@@ -107,13 +108,15 @@ std::unique_ptr<UserNameInfo> check_parse_user_name_host(
         return nullptr;
       }
 
-      if (std::regex_search(user_name_match.str(), deprecated_symbols_regex)) {
+      if (std::regex_search(user_name_match.str(),
+                            deprecated_account_name_characters_regex)) {
         std::snprintf(message, MYSQL_ERRMSG_SIZE,
                       "Wrong argument: bad user name format");
         return nullptr;
       }
 
-      if (std::regex_search(user_host_match.str(), deprecated_symbols_regex)) {
+      if (std::regex_search(user_host_match.str(),
+                            deprecated_host_name_characters_regex)) {
         std::snprintf(message, MYSQL_ERRMSG_SIZE,
                       "Wrong argument: bad host name format");
         return nullptr;
diff --git a/plugin/audit_log_filter/log_record_formatter/json.cc b/plugin/audit_log_filter/log_record_formatter/json.cc
@@ -406,7 +406,7 @@ AuditRecordString LogRecordFormatterJson::apply(
          << "\",\n"
          << R"(      "status": )" << audit_record.event->status << ",\n"
          << R"(      "db": ")"
-         << make_escaped_string(&audit_record.event->database) << "\""
+         << make_escaped_string(&audit_record.event->database) << "\"\n"
          << "    }" << extra_attrs_to_string(audit_record.extended_info)
          << "\n  }";
 
@@ -921,7 +921,7 @@ std::string LogRecordFormatterJson::extra_attrs_to_string(
       is_first_attr = false;
     }
 
-    result << "}";
+    result << "\n    }";
   }
 
   return result.str();
diff --git a/plugin/audit_log_filter/tests/mtr/r/filter_definition_filter_by_anonymous_user.result b/plugin/audit_log_filter/tests/mtr/r/filter_definition_filter_by_anonymous_user.result
@@ -0,0 +1,51 @@
+CREATE USER ''@'127.0.0.1';
+SET @filter = '{
+  "filter": {
+    "class": {
+      "name": "connection",
+      "event": {
+        "name": "connect"
+      }
+    }
+  }
+}';
+SELECT audit_log_filter_set_filter('log_connect', @filter);
+audit_log_filter_set_filter('log_connect', @filter)
+OK
+###
+### 1. Connecting as an anonymous user with no rules set
+###
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+foobarbaz@localhost	@127.0.0.1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 2. Connecting as an anonymous user with default rule set
+###
+SELECT audit_log_filter_set_user('%', 'log_connect');
+audit_log_filter_set_user('%', 'log_connect')
+OK
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+foobarbaz@localhost	@127.0.0.1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 3. Connecting as an anonymous user with a dedicated rule for this anonymous user
+###
+SELECT audit_log_filter_remove_user('%');
+audit_log_filter_remove_user('%')
+OK
+SELECT audit_log_filter_set_user('@127.0.0.1', 'log_connect');
+audit_log_filter_set_user('@127.0.0.1', 'log_connect')
+OK
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+foobarbaz@localhost	@127.0.0.1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+SELECT audit_log_filter_remove_user('@127.0.0.1');
+audit_log_filter_remove_user('@127.0.0.1')
+OK
+DROP USER ''@'127.0.0.1';
diff --git a/plugin/audit_log_filter/tests/mtr/r/filter_definition_filter_by_wildcard_host.result b/plugin/audit_log_filter/tests/mtr/r/filter_definition_filter_by_wildcard_host.result
@@ -0,0 +1,126 @@
+SET @filter = '{
+  "filter": {
+    "class": {
+      "name": "connection",
+      "event": {
+        "name": "connect"
+      }
+    }
+  }
+}';
+SELECT audit_log_filter_set_filter('log_connect', @filter);
+audit_log_filter_set_filter('log_connect', @filter)
+OK
+###
+### 1.1 IPv4 and IPv6 users, default audit log rule
+###
+CREATE USER 'usr'@'127.0.0.1' IDENTIFIED BY 'password';
+CREATE USER 'usr'@'::1' IDENTIFIED BY 'password';
+SELECT audit_log_filter_set_user('%', 'log_connect');
+audit_log_filter_set_user('%', 'log_connect')
+OK
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+usr@localhost	usr@127.0.0.1
+USER()	CURRENT_USER()
+usr@localhost	usr@::1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 1.2 IPv4 and wildcard users, default audit log rule
+###
+DROP USER 'usr'@'::1';
+CREATE USER 'usr'@'%' IDENTIFIED BY 'password';
+USER()	CURRENT_USER()
+usr@localhost	usr@127.0.0.1
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 1.3 Only wildcard user, default audit log rule
+###
+DROP USER 'usr'@'127.0.0.1';
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 2.1 Only wildcard user, IPv4 audit log rule
+###
+SELECT audit_log_filter_remove_user('%');
+audit_log_filter_remove_user('%')
+OK
+SELECT audit_log_filter_set_user('usr@127.0.0.1', 'log_connect');
+audit_log_filter_set_user('usr@127.0.0.1', 'log_connect')
+OK
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 2.2 IPv4 and wildcard users, IPv4 audit log rule
+###
+CREATE USER 'usr'@'127.0.0.1' IDENTIFIED BY 'password';
+USER()	CURRENT_USER()
+usr@localhost	usr@127.0.0.1
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 2.3 IPv4 and IPv6 users, IPv4 audit log rule
+###
+DROP USER 'usr'@'%';
+CREATE USER 'usr'@'::1' IDENTIFIED BY 'password';
+USER()	CURRENT_USER()
+usr@localhost	usr@127.0.0.1
+USER()	CURRENT_USER()
+usr@localhost	usr@::1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 3.1 IPv4 and IPv6 users, wildcard audit log rule
+###
+SELECT audit_log_filter_remove_user('usr@127.0.0.1');
+audit_log_filter_remove_user('usr@127.0.0.1')
+OK
+SELECT audit_log_filter_set_user('usr@%', 'log_connect');
+audit_log_filter_set_user('usr@%', 'log_connect')
+OK
+SET @audit_filter_log_name = audit_log_rotate();
+USER()	CURRENT_USER()
+usr@localhost	usr@127.0.0.1
+USER()	CURRENT_USER()
+usr@localhost	usr@::1
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 3.2 IPv4 and wildcard users, wildcard audit log rule
+###
+DROP USER 'usr'@'::1';
+CREATE USER 'usr'@'%' IDENTIFIED BY 'password';
+USER()	CURRENT_USER()
+usr@localhost	usr@127.0.0.1
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+###
+### 3.3 Only wildcard user, wildcard audit log rule
+###
+DROP USER 'usr'@'127.0.0.1';
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+USER()	CURRENT_USER()
+usr@localhost	usr@%
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+SELECT audit_log_filter_remove_user('usr@%');
+audit_log_filter_remove_user('usr@%')
+OK
+DROP USER 'usr'@'%';
diff --git a/plugin/audit_log_filter/tests/mtr/r/udf_audit_log_filter_set_user.result b/plugin/audit_log_filter/tests/mtr/r/udf_audit_log_filter_set_user.result
@@ -35,16 +35,17 @@ ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argume
 SELECT audit_log_filter_set_user('aaaaaa', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: wrong user_name format, it should be in user_name@host_name format, or '%' to represent the default account
 #
-# Wildcards are not allowed in user or host name
+# [*|%] characters are not allowed in user name
+# [*|] characters are not allowed in host name
 SELECT audit_log_filter_set_user('user%@localhost', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad user name format
 SELECT audit_log_filter_set_user('user*@localhost', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad user name format
-SELECT audit_log_filter_set_user('user@host%', 'filter_1');
+SELECT audit_log_filter_set_user('user@host|', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
 SELECT audit_log_filter_set_user('user@host*', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
-SELECT audit_log_filter_set_user('user@%', 'filter_1');
+SELECT audit_log_filter_set_user('user@|', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
 SELECT audit_log_filter_set_user('user@*', 'filter_1');
 ERROR HY000: Can't initialize function 'audit_log_filter_set_user'; Wrong argument: bad host name format
diff --git a/plugin/audit_log_filter/tests/mtr/r/writer_buffer_size_overflow.result b/plugin/audit_log_filter/tests/mtr/r/writer_buffer_size_overflow.result
@@ -29,6 +29,6 @@ Variable_name	Value
 Audit_log_filter_events_lost	3
 SHOW GLOBAL STATUS LIKE 'Audit_log_filter_event_max_drop_size';
 Variable_name	Value
-Audit_log_filter_event_max_drop_size	4406
+Audit_log_filter_event_max_drop_size	4407
 #
 # Cleanup
diff --git a/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_anonymous_user-master.opt b/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_anonymous_user-master.opt
@@ -0,0 +1 @@
+--audit_log_filter_format=JSON
diff --git a/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_anonymous_user.test b/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_anonymous_user.test
@@ -0,0 +1,75 @@
+--source audit_tables_init.inc
+
+--let $anonymous_user_name = foobarbaz
+--let $ipv4_localhost = 127.0.0.1
+
+--let $MYSQL_PORT = `SELECT @@port`
+
+eval CREATE USER ''@'$ipv4_localhost';
+
+SET @filter = '{
+  "filter": {
+    "class": {
+      "name": "connection",
+      "event": {
+        "name": "connect"
+      }
+    }
+  }
+}';
+SELECT audit_log_filter_set_filter('log_connect', @filter);
+
+--echo ###
+--echo ### 1. Connecting as an anonymous user with no rules set
+--echo ###
+SET @audit_filter_log_name = audit_log_rotate();
+
+--source include/count_sessions.inc
+--exec $MYSQL -u$anonymous_user_name -h$ipv4_localhost -P$MYSQL_PORT -e "SELECT USER(), CURRENT_USER();" test
+--source include/wait_until_count_sessions.inc
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+
+--assert(`SELECT JSON_LENGTH(@content) = 0 AS no_connection_events_must_be_logged`)
+
+
+--echo ###
+--echo ### 2. Connecting as an anonymous user with default rule set
+--echo ###
+SELECT audit_log_filter_set_user('%', 'log_connect');
+SET @audit_filter_log_name = audit_log_rotate();
+
+--source include/count_sessions.inc
+--exec $MYSQL -u$anonymous_user_name -h$ipv4_localhost -P$MYSQL_PORT -e "SELECT USER(), CURRENT_USER();" test
+--source include/wait_until_count_sessions.inc
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+
+--assert(`SELECT JSON_LENGTH(@content) = 1 AS one_connection_event_must_be_logged`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.user') = '$anonymous_user_name' AS event_must_be_from_fake_user_name`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.ip') = '$ipv4_localhost' AS event_must_be_from_ipv4_localhost`)
+
+
+--echo ###
+--echo ### 3. Connecting as an anonymous user with a dedicated rule for this anonymous user
+--echo ###
+SELECT audit_log_filter_remove_user('%');
+eval SELECT audit_log_filter_set_user('@$ipv4_localhost', 'log_connect');
+SET @audit_filter_log_name = audit_log_rotate();
+
+--source include/count_sessions.inc
+--exec $MYSQL -u$anonymous_user_name -h$ipv4_localhost -P$MYSQL_PORT -e "SELECT USER(), CURRENT_USER();" test
+--source include/wait_until_count_sessions.inc
+SET @audit_filter_log_name = audit_log_rotate();
+SET @content = CAST(CONVERT(LOAD_FILE(CONCAT(@@global.datadir, @audit_filter_log_name)) USING ascii) AS JSON);
+
+--assert(`SELECT JSON_LENGTH(@content) = 1 AS one_connection_event_must_be_logged`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.user') = '$anonymous_user_name' AS event_must_be_from_fake_user_name`)
+--assert(`SELECT JSON_EXTRACT(@content, '\$[0].login.ip') = '$ipv4_localhost' AS event_must_be_from_ipv4_localhost`)
+
+
+eval SELECT audit_log_filter_remove_user('@$ipv4_localhost');
+
+eval DROP USER ''@'$ipv4_localhost';
+
+--source audit_tables_cleanup.inc
diff --git a/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_wildcard_host-master.opt b/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_wildcard_host-master.opt
@@ -0,0 +1 @@
+--audit_log_filter_format=JSON
diff --git a/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_wildcard_host.test b/plugin/audit_log_filter/tests/mtr/t/filter_definition_filter_by_wildcard_host.test
diff --git a/plugin/audit_log_filter/tests/mtr/t/generate_audit_events.inc b/plugin/audit_log_filter/tests/mtr/t/generate_audit_events.inc
diff --git a/plugin/audit_log_filter/tests/mtr/t/udf_audit_log_filter_set_user.test b/plugin/audit_log_filter/tests/mtr/t/udf_audit_log_filter_set_user.test

Original file line number	Diff line number	Diff line change
`@@ -406,7 +406,7 @@ AuditRecordString LogRecordFormatterJson::apply(`
`406`	`406`	`<< "\",\n"`
`407`	`407`	`<< R"( "status": )" << audit_record.event->status << ",\n"`
`408`	`408`	`<< R"( "db": ")"`
`409`		`- << make_escaped_string(&audit_record.event->database) << "\""`
	`409`	`+ << make_escaped_string(&audit_record.event->database) << "\"\n"`
`410`	`410`	`<< " }" << extra_attrs_to_string(audit_record.extended_info)`
`411`	`411`	`<< "\n }";`
`412`	`412`
`@@ -921,7 +921,7 @@ std::string LogRecordFormatterJson::extra_attrs_to_string(`
`921`	`921`	`is_first_attr = false;`
`922`	`922`	`}`
`923`	`923`
`924`		`- result << "}";`
	`924`	`+ result << "\n }";`
`925`	`925`	`}`
`926`	`926`
`927`	`927`	`return result.str();`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,6 @@ Variable_name Value`
`29`	`29`	`Audit_log_filter_events_lost 3`
`30`	`30`	`SHOW GLOBAL STATUS LIKE 'Audit_log_filter_event_max_drop_size';`
`31`	`31`	`Variable_name Value`
`32`		`-Audit_log_filter_event_max_drop_size 4406`
	`32`	`+Audit_log_filter_event_max_drop_size 4407`
`33`	`33`	`#`
`34`	`34`	`# Cleanup`